Sudo
Sudo
Description
Allows you to execute a command as another user and by default requires a password. It can be configured in the /etc/sudoers
file to not require a password when running certain commands or all commands (very dangerous)
Examples
Sudoers file
An example of a sudoers file:
<code class="language-bash">## ## User privilege specification ## root ALL=(ALL:ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL:ALL) ALL ## Same thing without a password %wheel ALL=(ALL:ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL </code>
Explanation
root
specifies the user that the rule is being applied to
ALL=
rule applies to all hosts.
(ALL:
rule says that the user can run all commands as all users
ALL)
rule says that the user can run all commands as all groups
ALL
says that it applies to all commands
root ALL=(ALL:ALL) ALL
the root user has all access with sudo (it has all system access regardless) and can run all commands with sudo
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
The wheel group does not require a password to run commands as root.
%sudo ALL=(ALL:ALL) ALL
The sudo group has access to sudo and can run all commands as sudo but requires a password
Example -l
sudo -l
see what commands a user can run with sudo, example output:
<code class="language-bash">Matching Defaults entries for test on test-computer: editor=/usr/bin/micro, insults, pwfeedback User test may run the following commands on test-computer: (ALL) ALL </code>
the output specifies that the test user may run all commands as all users and groups.
Example help
sudo --help
displays the help page for the command sudo, example output:
<code class="language-bash">sudo - execute a command as another user usage: sudo -h | -K | -k | -V usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command [arg ...]] usage: sudo [-ABbEHkNnPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg ...]] usage: sudo -e [-ABkNnS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ... Options: -A, --askpass use a helper program for password prompting -b, --background run command in the background -B, --bell ring bell when prompting -C, --close-from=num close all file descriptors >= num -D, --chdir=directory change the working directory before running command -E, --preserve-env preserve user environment when running command --preserve-env=list preserve specific environment variables -e, --edit edit files instead of running a command -g, --group=group run command as the specified group name or ID -H, --set-home set HOME variable to target user's home dir -h, --help display help message and exit -h, --host=host run command on host (if supported by plugin) -i, --login run login shell as the target user; a command may also be specified -K, --remove-timestamp remove timestamp file completely -k, --reset-timestamp invalidate timestamp file -l, --list list user's privileges or check a specific command; use twice for longer format -n, --non-interactive non-interactive mode, no prompts are used -P, --preserve-groups preserve group vector instead of setting to target's -p, --prompt=prompt use the specified password prompt -R, --chroot=directory change the root directory before running command -S, --stdin read password from standard input -s, --shell run shell as the target user; a command may also be specified -T, --command-timeout=timeout terminate command after the specified time limit -U, --other-user=user in list mode, display privileges for user -u, --user=user run command (or edit file) as specified user name or ID -V, --version display version information and exit -v, --validate update user's timestamp without running a command -- stop processing command line arguments </code>
Example package manger
sudo dnf install python
runs the dnf package manager as root to install python
Example systemctl (services)
sudo systemctl status ntpdate.service
checks the ntpdate service, example output:
<code class="language-bash">[sudo] password for test: ○ ntpdate.service - One-Shot Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; preset: disabled) Active: inactive (dead) </code>
example-login-with-sudo
sudo -i -u test
login as another user, the test user.